Make TrustedTypeUtils::ProcessValueWithADefaultPolicy work with workers
Categories
(Core :: DOM: Security, task)
Tracking
()
People
(Reporter: fredw, Unassigned)
References
(Blocks 5 open bugs)
Details
(Whiteboard: [domsecurity-backlog])
See
https://w3c.github.io/trusted-types/dist/spec/#process-value-with-a-default-policy-algorithm
https://w3c.github.io/trusted-types/dist/spec/#integration-with-html
It's retrieving the defaultPolicy of the trusted type policy factory of the global object passed as a parameter, and such a trusted type policy factory is available on either a Window or a Worker.
But in our code we are only retrieving it as window:
https://searchfox.org/mozilla-central/rev/964b8aa226c68bbf83c9ffc38984804734bb0de2/dom/security/trusted-types/TrustedTypeUtils.cpp#139
the function also as a comment which I don't really understand (I'll replace it with a TODO pointing to that new bug instead):
// Since this function is for `TrustedHTML`, the `TrustedTypePolicyFactory`
// has to stem from the inner window, not from a Worker.
I think the present bug is a bit different from bug 1901492: ProcessValueWithADefaultPolicy does not involve a CSP and we can probably already change the function to retrieve the trustedTypePolicyFactory from a Window or Worker. However, ProcessValueWithADefaultPolicy is also only called from GetTrustedTypesCompliantString after it successfully get a CSP, so probably this change won't have any effect for now anyway. Maybe that's what the comment above meant.
Updated•1 month ago
|
Comment 1•27 days ago
|
||
(In reply to Frédéric Wang (:fredw) from comment #0)
See
https://w3c.github.io/trusted-types/dist/spec/#process-value-with-a-default-policy-algorithm
https://w3c.github.io/trusted-types/dist/spec/#integration-with-htmlIt's retrieving the defaultPolicy of the trusted type policy factory of the global object passed as a parameter, and such a trusted type policy factory is available on either a Window or a Worker.
But in our code we are only retrieving it as window:
https://searchfox.org/mozilla-central/rev/964b8aa226c68bbf83c9ffc38984804734bb0de2/dom/security/trusted-types/TrustedTypeUtils.cpp#139the function also as a comment which I don't really understand (I'll replace it with a TODO pointing to that new bug instead):
// Since this function is for `TrustedHTML`, the `TrustedTypePolicyFactory` // has to stem from the inner window, not from a Worker.
Workers don't support HTML injection sinks. Only the ones for TrustedScript
(e.g. eval
) and perhaps TrustedScriptURL
. Hence, when [1] is called, that call currently has to stem from a Window.
I think the present bug is a bit different from bug 1901492: ProcessValueWithADefaultPolicy does not involve a CSP and we can probably already change the function to retrieve the trustedTypePolicyFactory from a Window or Worker.
Correct.
However, ProcessValueWithADefaultPolicy is also only called from GetTrustedTypesCompliantString after it successfully get a CSP, so probably this change won't have any effect for now anyway. Maybe that's what the comment above meant.
Reporter | ||
Comment 2•27 days ago
|
||
(In reply to Mirko Brodesser (:mbrodesser-Igalia) from comment #1)
Workers don't support HTML injection sinks. Only the ones for
TrustedScript
(e.g.eval
) and perhapsTrustedScriptURL
. Hence, when [1] is called, that call currently has to stem from a Window.
Thanks for the clarification. Since in my patch I'm extending the functions to support TrustedScript/TrustedScriptURL, I guess it makes sense to remove this comment and add a TODO to the present bug instead.
Description
•